How to secure MongoDB on Linux or Unix production server

MongoDB ransom attacks are in Wild. I am using it for storing data on my public facing cloud server powered by Ubuntu Linux. How do I protect and secure my MongoDB nosql server on Linux or Unix operating system? MongoDB is a free and open-source NoSQL document database server. It is used by web application for storing data on a public facing server. Securing MongoDB is critical. Crackers and hackers are accessing insecure MongoDB for stealing data and deleting data from unpatched or badly-configured databases. In this tutorial you will learn about how to secure a MongoDB instance or server running cloud server.

Adblock detected 😱

My website is made possible by displaying online advertisements to my visitors. I get it! Ads are annoying but they help keep this website running. It is hard to keep the site running and producing new content when so many people block ads. Please consider donating money to the nixCraft via PayPal/Bitcoin, or become a supporter using Patreon.

MongoDB config

The default file is located at /etc/mongodb.conf

The default port is TCP 27017

MongoDB server version: 3.4.1

Limit network exposure

Edit the /etc/mongodb.conf or /usr/local/etc/mongodb.conf file, enter:$ sudo vi /etc/mongodb.conf If your web-app and MongoDB (mongod server) installed on the same machine, set the IP address of MongoDB to 127.0.0.1. This cuts communication directly from the internets:

# network interfaces
net:
port: 27017
bindIp: 127.0.0.1

However, it is possible that you have two or more servers as follows:Fig.01: A sample modern web-app with MonoDB running inside your VLAN You need to bind mongod to 192.168.1.7 so that it can be only accessed over VLAN:

bindIp: 192.168.1.7

The bind_ip directive Ensure that MongoDB runs in a trusted network environment and limit the interfaces on which MongoDB instances listen for incoming connections.

Change the default port

You can also change the default port if you want. In this example set it to 2727:

Setup access control

You need to add a user administrator to a MongoDB instance running without access control and then enables access control. By default anyone can connect to the MongoDB and this is not a good idea. For example:Animated gif 01: Connect a mongo shell to the instance with any sort of authentication

Connect to the DB instance

Create the user administrator

Warning: Create user with strong password. For demo purpose I am using ‘mySuperSecretePasswordHere’ but you should use strong password.

You need to use admin database. Type the following command at > prompt to create your superuser:> use adminswitched to db admin Next creates the user vivek in the admin database with the userAdminAnyDatabase role:> db.createUser({user:"vivek",pwd:"mySuperSecretePasswordHere", roles:[{role:"userAdminAnyDatabase",db:"admin"}]}) Sample outputs:

Re-start the MongoDB instance

Save and close the file. Re-start the MongoDB instance:$ sudo systemctl restart mongodb OR if you are using FreeBSD Unix:# service mongod restart To authenticate during connection using user vivek and password for the admin database:$ mongo -u vivek -p mySuperSecretePasswordHere --authenticationDatabase admin Add additional user to your DB. First create a new database called “nixcraft”:> use nixcraftswitched to db nixcraft Create a user named ‘nixdbuser’ with a password named ‘myKoolPassowrd’ for nixcraft db:

You can now connect to nixcraft db as follows:$ mongo --port 27017 -u "nixdbuser" -p "myKoolPassowrd" --authenticationDatabase "nixcraft" This make sure only authorized admin user named ‘vivek’ can execute commands or nixdbuser can do read/write operation on nixcraft db. You can verify it as follows by inserting records:> use nixcraft > db > db.names.insert({"title":"Mr", "last":"Gite", "First":"Vivek"}) > db.names.find() > show dbs Sample outputs:Fig.02: Enabled access control and enforce authentication

Patch and run updated version of your OS and MongoDB

Applying security patches is an important part of maintaining Linux or Unix server. Linux provides all necessary tools to keep your system updated, and also allows for easy upgrades between versions. See “20 Linux Server Hardening Security Tips” for more information.

Further readings

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft: